Christmas has come early for the new British Prime Minister. Theresa May’s pet project, the ‘Snooper’s Charter’ to massively ramp up state surveillance, was defeated by Lib Dem opposition during the previous coalition government. But just hours after the ballots were counted on 8 May 2015, a triumphant May announced that the new, unrestrained Conservative government would resurrect the bill, in order to ensure the security services can “keep us safe and secure”. Last week this new Investigatory Powers (IP) Bill passed the final reading in the House of Lords and is likely to become law before the year is up.
Debate around the bill – limited as it was – has tended to polarise around two sometimes abstract positions: On the one hand, those who believe that ‘ordinary’ citizens should have no reason to fear a bit of state surveillance; on the other, those who issue dire warnings about freedom and privacy. So what’s the issue with this legislation – and what will actually change when the IP Bill becomes law?
Britain already tops the charts in terms of surveillance. The prevalence of CCTV in our towns and cities – an estimated 1.85 million cameras – is often referenced, but far more pervasive and concerning are the less visible symptoms of our surveillance society.
The extent of digital mass surveillance used by security services in both the UK and US was exposed by Edward Snowden’s revelations in 2013; since then further disclosures have painted a picture of vast and often unlawful spying by MI5, MI6 and GCHQ. Just recently, a legal challenge by Privacy International resulted in the independent Investigatory Powers Tribunal ruling that this spying amounted to 17 years of illegal data collection, including phone and web use.
What the Investigatory Powers Bill means in practice:
Bulk data interception
This is the aspect of the IP Bill that has had the most coverage – but in reality it largely legalises the snooping that’s been going on for many years. That is, the bulk interception of communications traffic through various means, most notably by tapping the fibre-optic cables where they come ashore. Phone call ‘metadata’ - who, when, and for how long you spoke - has also long been gathered, on dubious legal grounds. Now, web and phone companies will have to store these records for twelve months, and remove encryption if ordered by the government.
Internet Connection Records
Arguably more intrusive, though, is the new power to snoop on your actual browsing history. Which websites you visit (though not the specific address within that site; that would be “intrusive”) and which apps you use, and when. These records, too, will be held for a year. No other European country has attempted this level of intrusion into its citizens internet activity; Denmark had a go, but scrapped it because it didn’t actually help catch criminals.
Your phone, computer and whole networks, under this legislation, could be hacked by police and intelligence agencies on what look to be very vague grounds. This “equipment interference” will mean police, security services and the armed forces have the ability to secretly access and alter whatever is on your devices, including encrypted data. GPS location, real-time internet activity and passwords can all be accessed when you hack a phone or computer.
The equipment interference powers have been under-reported but are really quite unprecedented and extreme measures. In particular, bulk hacking warrants will allow authorities to target whole groups of people, not just one individual – and if innocent people are hacked in the process, this apparently is not a problem. The risk of arbitrary targeting is, of course, enormous.
More jargon here, but what the bill calls “bulk personal datasets” can be any database held by private or public sector organisations, holding information on potentially very large numbers of people. A request from the Home Secretary to hand over these databases would be non-negotiable, and the data could include medical, financial or otherwise personal information – tax histories, hospital appointments, flight records; the potential list is endless. Like bulk communications interception, this power is already in use; the IP Bill provides grounds for warrants. Again, you wouldn’t be informed if your personal information had been included in a warrant. The Home Secretary has to get approval from a judicial commissioner, but if unsuccessful, can go over their head.
The government has defended these measures as necessary in the fight against crime and terrorism; it’s also supposed to bring the law on digital communications up to date with technological changes. But the actual effectiveness of many of these measures is still in question. NSA whistleblower Bill Binney, featured in the Moving Docs film A Good American, has repeatedly warned that bulk surveillance does not prevent terrorism, but rather swamps analysts in a deluge of random information, while also stripping citizens of their right to privacy.
Ostensibly, the bill is meant to replace the controversial Regulation of Investigatory Powers Act (RIPA), which runs out in December. RIPA saw a spate of privacy invasions by police, most notably on journalists. The Metropolitan Police, London’s somewhat notorious law enforcement, made headlines by banning campaigning magazine Press Gazette from submitting further FOIs on the extent of the force’s snooping. Police Scotland had its own scandal on this; thanks largely to diligent work by MSPs on the policing sub-committee, top brass had to explain themselves in parliament. But how much more has gone unreported?
The new IP legislation will, it seems, perpetuate this problem, as well as threatening the protections long enjoyed by legal professionals. The safeguards frequently mentioned by May and the bill’s proponents have been condemned as far too weak by a whole swathe of experts and NGO. What the bill calls “judicial authorisation” is arguably nothing of the sort: the role of judicial commissioners will be limited to review, rather than veto, for interception warrants; NGO Liberty calls them “glorified rubber-stampers”. Ministers, most often the Home Secretary, will continue to authorise warrants for interception and interference. In 2014, Theresa May authorised more than 2,300 such warrants. The Anderson review of the IP Bill recommended that only judicial commissioners have the power to issue warrants. The government ignored this recommendation.
It’s easy, perhaps, to sound alarmist over mass surveillance. But as NGOs, experts and whistleblowers – including Edward Snowden – have pointed out, this bill takes the UK farther down the path of intrusive state surveillance than any other democratic country. The ease with which it passed through both Houses of Parliament, under cover of Brexit and with little opposition, is remarkable.
It seems likely that aspects of the legislation will be met with legal challenge. This most frequently happens at the European Court of Human Rights (ECHR) or the Court of Justice of the European Union – the latter is, in fact, about to issue a decision on the UK’s existing data retention laws. The prospect of Brexit means the government may feel it can ignore any such rulings; the Prime Minister has declared her intention to withdraw the UK not just from the EU’s Court of Justice, but from the separate human rights convention; the treaty which the ECHR rules on.
Aside from court rulings, though, there’s the implications for the tech and service industry in the UK. There have been warnings of significant damage to the industry, not just due to the as-yet unknown costs of storing all communications and ICR data, but the perception among clients that British companies would no longer be able to store their data securely.
Perhaps the paltry media coverage of this bill will increase once these legal and economic implications become starker, or if stories of misuse, abuse and arbitrary targeting by authorities start to appear; then perhaps the government – and the Labour Party, which failed to oppose the bill despite high-minded rhetoric – will face tougher questions.
A Good American in cinemas